The Computer Fraud and Abuse Act

Prohibited Conduct

The CFAA identifies seven categories of prohibited conduct, most of which criminalize certain uses of computers “without authorization” or in a manner “exceeding authorized access.” Most significantly, the CFAA imposes criminal liability on any person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ' information from any protected computer.” While the CFAA does not define “without authorization,” it defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Since the CFAA defines “protected computer” as any computer “used in or affecting interstate or foreign commerce or communication,” virtually all business computers are covered.

While originally only a criminal statute, the CFAA was amended in 1994 to provide a civil cause of action. Employers immediately began taking advantage of the CFAA's civil cause of action to sue those who sought to use information misappropriated from the former employer's computer system. The courts' treatment of the CFAA in these civil cases has startling implications in the criminal sphere.

Interpretations of the CFAA

Federal courts are in disagreement with respect to the proper scope of the CFAA. Two sharply divergent views have arisen, referred to here as the “Agency View” and the “Access View.”

A significant number of federal courts ' including the First and Seventh Circuit Courts of Appeals ' have adopted the Agency View, whereby the CFAA is interpreted broadly and in accord with principles of agency law. Under this view, when an employee who is generally authorized to access certain computer information does so for personal benefit, that employee breaches his duty of loyalty to his employer, and thus renders the employee's access to the information “unauthorized.” As one court put it, the “breach of a duty of loyalty ' makes the accessing of computer files that had previously been authorized transform into unauthorized access under the CFAA.” NCMIC Fin. Corp. v. Artino, 638 F. Supp. 2d 1042, 1060 (S.D. Iowa 2009). Accordingly, if the employee acted with the intent to misuse the information for personal benefit, then “unauthorized” access has occurred ' even if the employee was previously authorized as a general matter to access the information.

Other courts, including the Ninth Circuit and several district courts, have adopted the Access View, whereby the CFAA is interpreted narrowly so as to target merely unauthorized access, not use. To these courts, the determinative issue is whether the employee's initial access to the computer was not permitted ' whether he acted “without authorization” or in a manner “exceeding authorized access.” These courts have generally reasoned that the CFAA is intended to punish computer hackers, electronic trespassers and other “outsiders,” but not employees who abuse computer access privileges to misuse information derived from their employment. Thus, under the Access View, an employee's subjective intent to misuse information is irrelevant. If the employee was permitted to access the information, then there is no CFAA violation, even if the employee intended at the time of access to misuse the information, and subsequently did. It is not yet clear which of these interpretations will prevail.

Prosecutors May Exploit the CFAA and the Agency View

Although the Agency View interpretation of the CFAA arose in the civil context, its most striking implications will surely be felt in the criminal sphere. A statute that provides both criminal and civil remedies must be interpreted consistently in both contexts. As a result, civil decisions espousing the Agency View are both influential and potentially precedential with respect to criminal actions. Therefore, in jurisdictions bound by the Agency View, every time an employee makes personal use of a company computer in breach of a fiduciary duty to an employer, he may be committing a criminal violation of the CFAA. In addition to using the CFAA to punish misbehaving employees, aggressive federal prosecutors may seek to bring charges under this statute to gain leverage on employees for purposes of furthering criminal investigations of their employers. Thus, the CFAA could also provide a significant new weapon in the prosecution of corporate financial crime by better enabling authorities to pressure rank-and-file employees into cooperation.

Moreover, prosecutors will have a strong incentive to proceed under the CFAA given its wide application. Although other federal statutes have been used to prosecute the theft of electronic information ' including the mail and wire fraud statutes (18 U.S.C. ” 1341 and 1343), Economic Espionage Act (18 U.S.C. ' 1831 et seq.), Trade Secrets Act (18 U.S.C. ' 1905), National Stolen Property Act (18 U.S.C. ' 2314) and Stored Communications Act (18 U.S.C. ' 2701 et seq.) ' these statutes have significant limitations with respect to employee misconduct, and none presents the “just add water” quality of the CFAA.

The mail and wire fraud statutes, for example, prohibit use of the mail or wire communications for the purposes of executing a “scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses.” “Property” in this context includes electronically stored information. Carpenter v. United States, 484 U.S. 19, 25-26 (1987). Moreover, an employee who deprives an employer of “honest services” may violate the mail and wire fraud statutes, and misappropriation of confidential information likely meets the applicable standard. However, while the elements of mail and wire fraud are relatively easy to meet, these statutes require the use of the mail or wires, a circumstance often missing from cases involving theft of confidential information via, for example, a simple thumb drive. Moreover, the honest-services doctrine is currently at risk of invalidation by the Supreme Court. See United States v. Skilling, 554 F.3d 529 (5th Cir. 2009), cert. granted, Skilling v. United States, 130 S. Ct. 393 (2009).

Then there is the Economic Espionage Act of 1996 (EEA), which criminalizes the knowing theft of trade secrets or other intangible information. Although with this statute Congress sought to punish “the disgruntled former employee who walks out of his former company with a computer diskette full of engineering schematics,” the elements of an EEA violation are more onerous than those of a criminal violation of the CFAA under the Agency View, which essentially requires only the intentional access of confidential information for an improper purpose and thus significantly relaxes the statute's requirements.

The other three statutes designed to punish theft of confidential information all have unique shortcomings not present in the CFAA. The Trade Secrets Act forbids the unauthorized disclosure of confidential government information, including trade secrets, yet it applies only to government employees. The National Stolen Property Act criminalizes theft of “goods, wares, merchandise, securities or money,” and courts have held that purely intangible intellectual property does not constitute goods, wares, or merchandise in that context. Finally, while the Stored Communications Act targets those who intentionally and without authorization access “a facility through which an electronic communication service is provided,” it is limited to facilities involving communication networks.

Conclusion

The Agency View of the CFAA, along with honest-services fraud under the mail and wire fraud statutes, is part of the broad trend toward the federal criminalization of certain common-law torts committed by employees against their employers. Prosecutors, of course, like weapons of this sort ' charges with broad reach, simple elements, and scores of potential offenders. Indeed, employees everywhere ' but especially those in the First and Seventh Circuits ' must be on best behavior, as what constitutes “authorization” is simply not clear. In any event, aggressive federal prosecutors may have a new weapon in their arsenals to prosecute even low-level employee thefts of confidential employer information.

Stanley S. Arkin ([email protected]), a member of this newsletter's Board of Editors, is senior partner at New York's Arkin Kaplan Rice LLP. He is the lead author of “Business Crime” and “The Prevention and Prosecution of Computer and Technology Crime” and a fellow of the American College of Trial Lawyers. Sean R. O'Brien ([email protected]) is a Partner at the firm. David M. Pohl ([email protected]) is a partner at New York's Pohl LLP, where his practice includes criminal defense and civil litigation.

It should come as no surprise that, since the rise of the personal computer in the 1970s, cyber-criminals have remained one step ahead of government efforts to prevent or punish their crimes. They steal, sabotage and destroy electronic data, and the law plays catch-up. Early attempts to prosecute these crimes under traditional trespass theories and larceny statutes proved flawed, as such statutes generally do not cover electronically stored data. Since then, legislators have acted with varying degrees of success in their effort to target computer-related crimes.

The CFAA

Prosecutors' weapon of choice in this field may soon be the Computer Fraud and Abuse Act of 1984 (CFAA), 18 U.S.C. ' 1030, in particular with respect to crimes involving employee theft of confidential information. Although the CFAA was principally aimed at hackers bent on stealing information or disrupting computer functionality, as well as criminals capable of gaining control over systems vital to everyday life, it has been interpreted by influential federal courts to prohibit ' and thus criminalize ' a broad range of employee uses of employer computers. This development is all the more important because the federal government has increased the number of criminal prosecutions of cybercrimes over recent years. In February of this year, Attorney General Eric Holder created a Department of Justice (DOJ) task force on intellectual property. Then, in April, the DOJ announced it would devote significant new resources to combating intellectual property crimes, such as theft of trade secrets and computer hacking. This is not merely a stated policy; the DOJ has recently commenced prosecutions of several programmers accused of misappropriating computer code, including a high-profile investigation involving investment firm Goldman Sachs.

Prohibited Conduct

The CFAA identifies seven categories of prohibited conduct, most of which criminalize certain uses of computers “without authorization” or in a manner “exceeding authorized access.” Most significantly, the CFAA imposes criminal liability on any person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ' information from any protected computer.” While the CFAA does not define “without authorization,” it defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Since the CFAA defines “protected computer” as any computer “used in or affecting interstate or foreign commerce or communication,” virtually all business computers are covered.

While originally only a criminal statute, the CFAA was amended in 1994 to provide a civil cause of action. Employers immediately began taking advantage of the CFAA's civil cause of action to sue those who sought to use information misappropriated from the former employer's computer system. The courts' treatment of the CFAA in these civil cases has startling implications in the criminal sphere.

Interpretations of the CFAA

Federal courts are in disagreement with respect to the proper scope of the CFAA. Two sharply divergent views have arisen, referred to here as the “Agency View” and the “Access View.”

A significant number of federal courts ' including the First and Seventh Circuit Courts of Appeals ' have adopted the Agency View, whereby the CFAA is interpreted broadly and in accord with principles of agency law. Under this view, when an employee who is generally authorized to access certain computer information does so for personal benefit, that employee breaches his duty of loyalty to his employer, and thus renders the employee's access to the information “unauthorized.” As one court put it, the “breach of a duty of loyalty ' makes the accessing of computer files that had previously been authorized transform into unauthorized access under the CFAA.” NCMIC Fin. Corp. v. Artino , 638 F. Supp. 2d 1042, 1060 (S.D. Iowa 2009). Accordingly, if the employee acted with the intent to misuse the information for personal benefit, then “unauthorized” access has occurred ' even if the employee was previously authorized as a general matter to access the information.

Other courts, including the Ninth Circuit and several district courts, have adopted the Access View, whereby the CFAA is interpreted narrowly so as to target merely unauthorized access, not use. To these courts, the determinative issue is whether the employee's initial access to the computer was not permitted ' whether he acted “without authorization” or in a manner “exceeding authorized access.” These courts have generally reasoned that the CFAA is intended to punish computer hackers, electronic trespassers and other “outsiders,” but not employees who abuse computer access privileges to misuse information derived from their employment. Thus, under the Access View, an employee's subjective intent to misuse information is irrelevant. If the employee was permitted to access the information, then there is no CFAA violation, even if the employee intended at the time of access to misuse the information, and subsequently did. It is not yet clear which of these interpretations will prevail.

Prosecutors May Exploit the CFAA and the Agency View

Although the Agency View interpretation of the CFAA arose in the civil context, its most striking implications will surely be felt in the criminal sphere. A statute that provides both criminal and civil remedies must be interpreted consistently in both contexts. As a result, civil decisions espousing the Agency View are both influential and potentially precedential with respect to criminal actions. Therefore, in jurisdictions bound by the Agency View, every time an employee makes personal use of a company computer in breach of a fiduciary duty to an employer, he may be committing a criminal violation of the CFAA. In addition to using the CFAA to punish misbehaving employees, aggressive federal prosecutors may seek to bring charges under this statute to gain leverage on employees for purposes of furthering criminal investigations of their employers. Thus, the CFAA could also provide a significant new weapon in the prosecution of corporate financial crime by better enabling authorities to pressure rank-and-file employees into cooperation.

Moreover, prosecutors will have a strong incentive to proceed under the CFAA given its wide application. Although other federal statutes have been used to prosecute the theft of electronic information ' including the mail and wire fraud statutes (18 U.S.C. ” 1341 and 1343), Economic Espionage Act (18 U.S.C. ' 1831 et seq.), Trade Secrets Act (18 U.S.C. ' 1905), National Stolen Property Act (18 U.S.C. ' 2314) and Stored Communications Act (18 U.S.C. ' 2701 et seq.) ' these statutes have significant limitations with respect to employee misconduct, and none presents the “just add water” quality of the CFAA.

The mail and wire fraud statutes, for example, prohibit use of the mail or wire communications for the purposes of executing a “scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses.” “Property” in this context includes electronically stored information. Carpenter v. United States , 484 U.S. 19, 25-26 (1987). Moreover, an employee who deprives an employer of “honest services” may violate the mail and wire fraud statutes, and misappropriation of confidential information likely meets the applicable standard. However, while the elements of mail and wire fraud are relatively easy to meet, these statutes require the use of the mail or wires, a circumstance often missing from cases involving theft of confidential information via, for example, a simple thumb drive. Moreover, the honest-services doctrine is currently at risk of invalidation by the Supreme Court. See United States v. Skilling , 554 F.3d 529 (5th Cir. 2009), cert. granted, Skilling v. United States , 130 S. Ct. 393 (2009).

Then there is the Economic Espionage Act of 1996 (EEA), which criminalizes the knowing theft of trade secrets or other intangible information. Although with this statute Congress sought to punish “the disgruntled former employee who walks out of his former company with a computer diskette full of engineering schematics,” the elements of an EEA violation are more onerous than those of a criminal violation of the CFAA under the Agency View, which essentially requires only the intentional access of confidential information for an improper purpose and thus significantly relaxes the statute's requirements.

The other three statutes designed to punish theft of confidential information all have unique shortcomings not present in the CFAA. The Trade Secrets Act forbids the unauthorized disclosure of confidential government information, including trade secrets, yet it applies only to government employees. The National Stolen Property Act criminalizes theft of “goods, wares, merchandise, securities or money,” and courts have held that purely intangible intellectual property does not constitute goods, wares, or merchandise in that context. Finally, while the Stored Communications Act targets those who intentionally and without authorization access “a facility through which an electronic communication service is provided,” it is limited to facilities involving communication networks.

Conclusion

The Agency View of the CFAA, along with honest-services fraud under the mail and wire fraud statutes, is part of the broad trend toward the federal criminalization of certain common-law torts committed by employees against their employers. Prosecutors, of course, like weapons of this sort ' charges with broad reach, simple elements, and scores of potential offenders. Indeed, employees everywhere ' but especially those in the First and Seventh Circuits ' must be on best behavior, as what constitutes “authorization” is simply not clear. In any event, aggressive federal prosecutors may have a new weapon in their arsenals to prosecute even low-level employee thefts of confidential employer information.

Stanley S. Arkin ([email protected]), a member of this newsletter's Board of Editors, is senior partner at New York's Arkin Kaplan Rice LLP. He is the lead author of “Business Crime” and “The Prevention and Prosecution of Computer and Technology Crime” and a fellow of the American College of Trial Lawyers. Sean R. O'Brien ([email protected]) is a Partner at the firm. David M. Pohl ([email protected]) is a partner at New York's Pohl LLP, where his practice includes criminal defense and civil litigation.